There is one particular outside mail server we're having trouble sending to. Basically, our server (Groupwise) does an EHLO, and the other server offers STARTTLS. Our server sends a STARTTLS, sends a few bytes of encrypted data, and then the other server sends a RST.
If we try a test server outside the PIX, everything is fine.
I've looked at "no fixup protocol smtp 25" and "no inspect esmtp" and those already seem to be in place.
Could the pix be doing something with the certificate? Could esmtp inspection still be on?